Aberdeen Report Points Out Open Source Vulnerabilities

Analysts at Aberdeen Group say the evidence of the last 10 months shows that the popular wisdom about Microsoft security -- that it's the worst -- may be outdated.

"Obviously, the label of poster child for security glitches moved from Microsoft to the shoulders of open source and Linux product suppliers during 2002," analysts Jim Hurley and Eric Hemmendinger wrote in an Aberdeen Group "Perspective" piece published earlier this month. "Open source software, commonly used in many versions of Linux, Unix, and network routing equipment, is now the major source of elevated security vulnerabilities for IT buyers."

The evidence for Aberdeen's unorthodox position? The security advisories put out during the first 10 months of 2002 by CERT, the Computer Emergency Response Team. Analyzing the small sample of advisories issued by Cert (www.cert.org), Aberdeen gleaned several interesting trends.

Virus and trojan horse advisories affecting Microsoft products plummeted from six last year to zero in the first 10 months of this year.

Advisories affecting network equipment went from two in 2001 to six in the first 10 months of 2002.

Aberdeen concludes that "Microsoft overhauled its entire software development process to fix its security problems, and its effort appears to be working. Perhaps it is time for some of the suppliers of open source and Linux software to take similar measures. But the entire IT industry must come to terms with the new reality of Internet computing as the first step in making forward progress. One of these realities is that no one vendor or supplier is more at fault than any other."

Microsoft officials spread the word about the Aberdeen report, but they say Microsoft did not fund or sponsor the Aberdeen research.

Mike Nash, vice president of the security business unit at Microsoft, says the Aberdeen report shows that security is an issue that affects the entire industry, not just Micrsoft.

"The key thing here is just the observation that security very clearly is an industry issue. It does really clarify sort of where we are as an industry and what needs to get done and where Microsoft needs to be focused. There is a bit of a gap between perception and reality of where Microsoft needs to be," Nash said.